Editing the certificate trust list, Editing the certificate trust – Cisco 3.3 User Manual

Chapter 10 System Configuration: Authentication and Certificates

Cisco Secure ACS Certificate Setup

10-38

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

To add a certificate authority certificate to your local storage, follow these steps:

Step 1

In the navigation bar, click System Configuration.

Step 2

Click ACS Certificate Setup.

Step 3

Click ACS Certification Authority Setup.

Cisco Secure ACS displays the CA Operations table on the Certification
Authorities Setup page.

Step 4

In the CA certificate file box, type the full path and filename for the certificate
you want to use.

Step 5

Click Submit.

The new CA certificate is added to local certificate storage. And, if it is not
already there, the name of the CA that issued the certificate is placed on the CTL.

Tip

To use this new CA certificate to authenticate users, you must edit the
certificate trust list to signify that this CA is trusted. For more
information, see

Editing the Certificate Trust List, page 10-38

.

Editing the Certificate Trust List

Cisco Secure ACS uses the CTL to verify the client certificates. For a CA to be
trusted by Cisco Secure ACS, its certificate must be installed, and the
Cisco Secure ACS administrator must explicitly configure the CA as trusted by
editing the CTL. If the Cisco Secure ACS server certificate is replaced, the CTL
is erased; you must configure the CTL explicitly each time you install or replace
a Cisco Secure ACS server certificate.

Note

The single exception to the requirement that a CA must be explicitly signified as
trustworthy occurs when the clients and Cisco Secure ACS are getting their
certificates from the same CA. You do not need to add this CA to the CTL because
Cisco Secure ACS automatically trusts the CA that issued its certificate.